archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/services/ca/ocmsetup/usecert.cpp

664 lines
19 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1997 - 1999
  6. //
  7. // File: usecert.cpp
  8. //
  9. // Contents: cert store and file operations
  10. //
  11. //--------------------------------------------------------------------------
  13. #include "pch.cpp"
  14. #pragma hdrstop
  16. #include <wincrypt.h>
  18. #include "initcert.h"
  19. #include "cscsp.h"
  20. #include "cspenum.h"
  21. #include "wizpage.h"
  22. #include "usecert.h"
  24. #define __dwFILE__ __dwFILE_OCMSETUP_USECERT_CPP__
  26. typedef struct _EXISTING_CA_IDINFO {
  27. LPSTR pszObjId;
  28. WCHAR **ppwszIdInfo;
  29. } EXISTING_CA_IDINFO;
  32. /*
  33. EXISTING_CA_IDINFO g_ExistingCAIdInfo[] = {
  34. {szOID_COMMON_NAME, NULL},
  35. {szOID_ORGANIZATION_NAME, NULL},
  36. {szOID_ORGANIZATIONAL_UNIT_NAME, NULL},
  37. {szOID_LOCALITY_NAME, NULL},
  38. {szOID_STATE_OR_PROVINCE_NAME, NULL},
  39. {szOID_RSA_emailAddr, NULL},
  40. {szOID_COUNTRY_NAME, NULL},
  41. {NULL, NULL},
  42. };
  43. */
  45. HRESULT
  46. myMakeExprValidity(
  47. IN FILETIME const *pft,
  48. OUT LONG *plDayCount)
  49. {
  50. HRESULT hr;
  51. FILETIME ft;
  52. LONGLONG llDelta;
  54. *plDayCount = 0;
  56. // get current time
  58. GetSystemTimeAsFileTime(&ft);
  60. llDelta = mySubtractFileTimes(pft, &ft);
  61. llDelta /= 1000 * 1000 * 10;
  62. llDelta += 12 * 60 * 60; // half day more to avoid truncation
  63. llDelta /= 24 * 60 * 60;
  65. *plDayCount = (LONG) llDelta;
  66. if (0 > *plDayCount)
  67. {
  68. *plDayCount = 0;
  69. }
  70. hr = S_OK;
  72. //error:
  73. return hr;
  74. }
  76. //--------------------------------------------------------------------
  77. // returns true if the CA type is root and the cert is self-signed,
  78. // or the CA type is subordinate and the cert is no self-signed
  79. HRESULT
  80. IsCertSelfSignedForCAType(
  81. IN CASERVERSETUPINFO * pServer,
  82. IN CERT_CONTEXT const * pccCert,
  83. OUT BOOL * pbOK)
  84. {
  85. CSASSERT(NULL!=pccCert);
  86. CSASSERT(NULL!=pServer);
  87. CSASSERT(NULL!=pbOK);
  89. HRESULT hr;
  90. DWORD dwVerificationFlags;
  91. BOOL bRetVal;
  93. // See if this cert is self-signed or not.
  94. // First, we flag what we want to check: "Use the public
  95. // key in the issuer's certificate to verify the signature on
  96. // the subject certificate."
  97. // We use the same certificate as issuer and subject
  98. dwVerificationFlags=CERT_STORE_SIGNATURE_FLAG;
  99. // perform the checks
  100. bRetVal=CertVerifySubjectCertificateContext(
  101. pccCert,
  102. pccCert, // issuer same as subject
  103. &dwVerificationFlags);
  104. if (FALSE==bRetVal) {
  105. hr=myHLastError();
  106. _JumpError(hr, error, "CertVerifySubjectCertificateContext");
  107. }
  108. // Every check that passed had its flag zeroed. See if our check passed
  109. if (CERT_STORE_SIGNATURE_FLAG&dwVerificationFlags){
  110. // This cert is not self-signed.
  111. if (IsRootCA(pServer->CAType)) {
  112. // A root CA cert must be self-signed.
  113. *pbOK=FALSE;
  114. } else {
  115. // A subordinate CA cert must not be self-signed.
  116. *pbOK=TRUE;
  117. }
  118. } else {
  119. // This cert is self-signed.
  120. if (IsSubordinateCA(pServer->CAType)) {
  121. // A subordinate CA cert must not be self-signed.
  122. *pbOK=FALSE;
  123. } else {
  124. // A root CA cert must be self-signed.
  125. *pbOK=TRUE;
  126. }
  127. }
  129. hr=S_OK;
  131. error:
  132. return hr;
  133. }
  135. //--------------------------------------------------------------------
  136. // find a certificate's hash algorithm in a CSP's list of hash algorithms
  137. HRESULT
  138. FindHashAlgorithm(
  139. IN CERT_CONTEXT const * pccCert,
  140. IN CSP_INFO * pCSPInfo,
  141. OUT CSP_HASH ** ppHash)
  142. {
  143. CSASSERT(NULL!=pccCert);
  144. CSASSERT(NULL!=pCSPInfo);
  145. CSASSERT(NULL!=ppHash);
  147. HRESULT hr;
  148. CSP_HASH * phTravel;
  149. const CRYPT_OID_INFO * pOIDInfo;
  151. // Initialize out param
  152. *ppHash=NULL;
  154. // get the AlgID from the hash algorithm OID
  155. // (returned pointer must not be freed)
  156. pOIDInfo=CryptFindOIDInfo(
  157. CRYPT_OID_INFO_OID_KEY,
  158. pccCert->pCertInfo->SignatureAlgorithm.pszObjId,
  159. CRYPT_SIGN_ALG_OID_GROUP_ID
  160. );
  161. if (NULL==pOIDInfo) {
  162. // function is not doc'd to set GetLastError()
  163. hr=CRYPT_E_NOT_FOUND;
  164. _JumpError(hr, error, "Signature algorithm not found");
  165. }
  167. // find the hash algorithm in the list of hash algorithms the CSP supports
  168. for (phTravel=pCSPInfo->pHashList; NULL!=phTravel; phTravel=phTravel->next) {
  169. if (pOIDInfo->Algid==phTravel->idAlg) {
  170. *ppHash=phTravel;
  171. break;
  172. }
  173. }
  174. if (NULL==phTravel) {
  175. hr=CRYPT_E_NOT_FOUND;
  176. _JumpError(hr, error, "CSP does not support hash algorithm");
  177. }
  179. hr=S_OK;
  181. error:
  182. return hr;
  183. }
  185. /*
  187. HRESULT
  188. HookExistingIdInfoData(
  189. CASERVERSETUPINFO *pServer)
  190. {
  191. HRESULT hr;
  192. int i = 0;
  194. while (NULL != g_ExistingCAIdInfo[i].pszObjId)
  195. {
  196. if (0 == strcmp(szOID_COMMON_NAME,
  197. g_ExistingCAIdInfo[i].pszObjId))
  198. {
  199. g_ExistingCAIdInfo[i].ppwszIdInfo = &pServer->pwszCACommonName;
  200. }
  201. else if (0 == strcmp(szOID_ORGANIZATION_NAME,
  202. g_ExistingCAIdInfo[i].pszObjId))
  203. {
  204. // dead
  205. }
  206. else if (0 == strcmp(szOID_ORGANIZATIONAL_UNIT_NAME,
  207. g_ExistingCAIdInfo[i].pszObjId))
  208. {
  209. // dead
  210. }
  211. else if (0 == strcmp(szOID_LOCALITY_NAME,
  212. g_ExistingCAIdInfo[i].pszObjId))
  213. {
  214. // dead
  215. }
  216. else if (0 == strcmp(szOID_STATE_OR_PROVINCE_NAME,
  217. g_ExistingCAIdInfo[i].pszObjId))
  218. {
  219. // dead
  220. }
  221. else if (0 == strcmp(szOID_COUNTRY_NAME,
  222. g_ExistingCAIdInfo[i].pszObjId))
  223. {
  224. // dead
  225. }
  226. else if (0 == strcmp(szOID_RSA_emailAddr,
  227. g_ExistingCAIdInfo[i].pszObjId))
  228. {
  229. // dead
  230. }
  231. else
  232. {
  233. hr = E_INVALIDARG;
  234. _JumpError(hr, error, "unsupported name");
  235. }
  237. ++i;
  238. }
  240. hr = S_OK;
  241. error:
  242. return hr;
  243. }
  244. */
  246. HRESULT
  247. DetermineExistingCAIdInfo(
  248. IN OUT CASERVERSETUPINFO *pServer,
  249. OPTIONAL IN CERT_CONTEXT const *pUpgradeCert)
  250. {
  251. CERT_NAME_INFO *pCertNameInfo = NULL;
  252. DWORD cbCertNameInfo;
  253. WCHAR const *pwszNameProp;
  254. HRESULT hr = E_FAIL;
  255. CERT_CONTEXT const *pCert = pServer->pccExistingCert;
  257. CSASSERT(NULL!=pServer->pccExistingCert ||
  258. NULL != pUpgradeCert);
  260. if (NULL == pUpgradeCert)
  261. {
  262. myMakeExprValidity(
  263. &pServer->pccExistingCert->pCertInfo->NotAfter,
  264. &pServer->lExistingValidity);
  266. pServer->NotBefore = pServer->pccExistingCert->pCertInfo->NotBefore;
  267. pServer->NotAfter = pServer->pccExistingCert->pCertInfo->NotAfter;
  268. }
  270. if (NULL != pUpgradeCert)
  271. {
  272. pCert = pUpgradeCert;
  273. }
  275. if (!myDecodeName(X509_ASN_ENCODING,
  276. X509_UNICODE_NAME,
  277. pCert->pCertInfo->Subject.pbData,
  278. pCert->pCertInfo->Subject.cbData,
  279. CERTLIB_USE_LOCALALLOC,
  280. &pCertNameInfo,
  281. &cbCertNameInfo))
  282. {
  283. hr = myHLastError();
  284. _JumpError(hr, error, "myDecodeName");
  285. }
  287. /*
  288. // fill a data structure for existing key id info
  289. hr = HookExistingIdInfoData(pServer);
  290. _JumpIfError(hr, error, "HookExistingIdInfoData");
  292. // load names from cert to the the data structure
  293. i = 0;
  295. while (NULL != g_ExistingCAIdInfo[i].pszObjId)
  296. {
  297. if (S_OK == myGetCertNameProperty(
  298. pCertNameInfo,
  299. g_ExistingCAIdInfo[i].pszObjId,
  300. &pwszNameProp))
  301. {
  302. pwszExisting = (WCHAR*)LocalAlloc(LPTR,
  303. (wcslen(pwszNameProp) + 1) * sizeof(WCHAR));
  304. _JumpIfOutOfMemory(hr, error, pwszExisting);
  306. // get name
  307. wcscpy(pwszExisting, pwszNameProp);
  309. // make sure free old
  310. if (NULL != *(g_ExistingCAIdInfo[i].ppwszIdInfo))
  311. {
  312. LocalFree(*(g_ExistingCAIdInfo[i].ppwszIdInfo));
  313. }
  314. *(g_ExistingCAIdInfo[i].ppwszIdInfo) = pwszExisting;
  315. }
  316. ++i;
  317. }
  318. */
  319. hr = myGetCertNameProperty(
  320. FALSE,
  321. pCertNameInfo,
  322. szOID_COMMON_NAME,
  323. &pwszNameProp);
  324. if (hr == S_OK)
  325. {
  326. if(pServer->pwszCACommonName)
  327. {
  328. LocalFree(pServer->pwszCACommonName);
  329. pServer->pwszCACommonName = NULL;
  330. }
  332. // Common name exists, copy it out
  333. hr = myDupString(pwszNameProp, &(pServer->pwszCACommonName));
  334. _JumpIfError(hr, error, "myDupString");
  335. }
  337. if(pServer->pwszFullCADN)
  338. {
  339. LocalFree(pServer->pwszFullCADN);
  340. pServer->pwszFullCADN = NULL;
  341. }
  343. // now get everything else
  344. hr = myCertNameToStr(
  345. X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
  346. &pCert->pCertInfo->Subject,
  347. CERT_X500_NAME_STR | CERT_NAME_STR_COMMA_FLAG | CERT_NAME_STR_REVERSE_FLAG,
  348. &pServer->pwszFullCADN);
  349. _JumpIfError(hr, error, "myCertNameToStr");
  351. // No need for a DN suffix, the full DN is already in the cert
  353. if(pServer->pwszDNSuffix)
  354. {
  355. LocalFree(pServer->pwszDNSuffix);
  356. pServer->pwszDNSuffix = NULL;
  357. }
  359. hr = myDupString(L"", &(pServer->pwszDNSuffix));
  360. _JumpIfError(hr, error, "myDupString");
  362. hr = S_OK;
  364. error:
  365. if (NULL != pCertNameInfo)
  366. {
  367. LocalFree(pCertNameInfo);
  368. }
  369. return hr;
  370. }
  372. //--------------------------------------------------------------------
  373. // find a cert that matches the currently selected CSP and key container name
  374. // returns CRYPT_E_NOT_FOUND if no certificate. Caller MUST free the returned
  375. // context.
  376. // Note: IT IS VERY IMPORTANT that pfx import maintains all the
  377. // invariants about CSP, key container, hash, cert validity, etc.
  378. // that the rest of the UI (including this function) maintains.
  379. HRESULT
  380. FindCertificateByKey(
  381. IN CASERVERSETUPINFO * pServer,
  382. OUT CERT_CONTEXT const ** ppccCertificateCtx)
  383. {
  384. CSASSERT(NULL!=pServer);
  385. CSASSERT(NULL!=ppccCertificateCtx);
  387. HRESULT hr;
  388. DWORD dwPublicKeySize;
  389. BOOL bRetVal;
  390. DWORD dwVerificationFlags;
  391. CERT_CONTEXT const *pccFound = NULL;
  393. // variables that must be cleaned up
  394. HCRYPTPROV hProv=NULL;
  395. CERT_PUBLIC_KEY_INFO * pcpkiKeyInfo=NULL;
  396. CERT_CONTEXT const * pccCurrentCert=NULL;
  398. // initialize out param
  399. *ppccCertificateCtx=NULL;
  401. // open certificate store if it is not already open
  402. if (NULL==pServer->hMyStore) {
  403. pServer->hMyStore=CertOpenStore(
  404. CERT_STORE_PROV_SYSTEM_W,
  405. X509_ASN_ENCODING,
  406. NULL, // hProv
  407. CERT_SYSTEM_STORE_LOCAL_MACHINE | CERT_STORE_ENUM_ARCHIVED_FLAG,
  408. wszMY_CERTSTORE);
  409. if (NULL==pServer->hMyStore) {
  410. hr=myHLastError();
  411. _JumpError(hr, error, "CertOpenStore");
  412. }
  413. }
  415. //
  416. // Get public key blob from key container
  417. // Note: This may fail if key is not
  418. // AT_SIGNATURE, but we will never actually use the key in
  419. // this case anyway so it's ok to not find any certs
  420. //
  422. DBGPRINT((
  423. DBG_SS_CERTOCM,
  424. "FindCertificateByKey: key=%ws\n",
  425. pServer->pwszKeyContainerName));
  427. // first, open the key container
  428. bRetVal=myCertSrvCryptAcquireContext(
  429. &hProv,
  430. pServer->pwszKeyContainerName,
  431. pServer->pCSPInfo->pwszProvName,
  432. pServer->pCSPInfo->dwProvType,
  433. CRYPT_SILENT, // we should never have to ask anything to get this info
  434. pServer->pCSPInfo->fMachineKeyset);
  435. if (FALSE==bRetVal) {
  436. hr=myHLastError();
  437. _JumpError(hr, error, "myCertSrvCryptAcquireContext");
  438. }
  440. // get the size of the blob
  441. bRetVal=CryptExportPublicKeyInfo(
  442. hProv,
  443. AT_SIGNATURE,
  444. X509_ASN_ENCODING,
  445. NULL, //determine size
  446. &dwPublicKeySize);
  447. if (FALSE==bRetVal) {
  448. hr=myHLastError();
  449. _JumpError(hr, error, "CryptExportPublicKeyInfo (get data size)");
  450. }
  452. // allocate the blob
  453. pcpkiKeyInfo=(CERT_PUBLIC_KEY_INFO *)LocalAlloc(LMEM_FIXED, dwPublicKeySize);
  454. _JumpIfOutOfMemory(hr, error, pcpkiKeyInfo);
  456. // get the public key info blob
  457. bRetVal=CryptExportPublicKeyInfo(
  458. hProv,
  459. AT_SIGNATURE,
  460. X509_ASN_ENCODING,
  461. pcpkiKeyInfo,
  462. &dwPublicKeySize);
  463. if (FALSE==bRetVal) {
  464. hr=myHLastError();
  465. _JumpError(hr, error, "CryptExportPublicKeyInfo (get data)");
  466. }
  468. //
  469. // Find a certificate that has a matching key, has not expired,
  470. // and is self-signed or not self-signed depending upon
  471. // the CA type we are trying to install
  472. //
  474. for (;;)
  475. {
  476. // find the next cert that has this public key
  477. // Note: the function will free the previously
  478. // used context when we pass it back
  479. pccCurrentCert=CertFindCertificateInStore(
  480. pServer->hMyStore,
  481. X509_ASN_ENCODING,
  482. 0, // flags
  483. CERT_FIND_PUBLIC_KEY,
  484. pcpkiKeyInfo,
  485. pccCurrentCert);
  487. // exit the loop when we can find no more matching certs
  489. if (NULL == pccCurrentCert)
  490. {
  491. hr = myHLastError();
  492. if (NULL != pccFound)
  493. {
  494. break;
  495. }
  496. _JumpError(hr, error, "CertFindCertificateInStore");
  497. }
  499. // check to make sure that the cert has not expired
  500. // first, we flag what we want to check
  502. dwVerificationFlags = CERT_STORE_TIME_VALIDITY_FLAG;
  504. // perform the checks
  506. bRetVal=CertVerifySubjectCertificateContext(
  507. pccCurrentCert,
  508. NULL, // issuer; not needed
  509. &dwVerificationFlags);
  510. if (FALSE==bRetVal) {
  511. _PrintError(myHLastError(), "CertVerifySubjectCertificateContext");
  512. // this should not fail, but maybe we got a bad cert. Keep looking.
  513. continue;
  514. }
  515. // Every check that passed had its flag zeroed. See if our check passed
  516. if (CERT_STORE_TIME_VALIDITY_FLAG&dwVerificationFlags){
  517. // This cert is expired and we can't use it. Keep looking.
  518. continue;
  519. }
  521. // verify to make sure no cert in chain is revoked, but don't kill
  522. // yourself if can't connect
  523. // allow untrusted cert if installing a root
  525. hr = myVerifyCertContext(
  526. pccCurrentCert,
  527. CA_VERIFY_FLAGS_IGNORE_OFFLINE |
  528. (IsRootCA(pServer->CAType)?
  529. CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT : 0),
  530. 0,
  531. NULL,
  532. HCCE_LOCAL_MACHINE,
  533. NULL,
  534. NULL);
  535. if (S_OK != hr)
  536. {
  537. // At least one cert is revoked in chain
  538. _PrintError(hr, "myVerifyCertContext");
  539. continue;
  540. }
  542. // See if this cert appropriately is self-signed or not.
  543. // A root CA cert must be self-signed, while
  544. // a subordinate CA cert must not be self-signed.
  545. hr=IsCertSelfSignedForCAType(pServer, pccCurrentCert, &bRetVal);
  546. if (FAILED(hr)) {
  547. // this should not fail, but maybe we got a bad cert. Keep looking.
  548. _PrintError(hr, "IsCertSelfSignedForCAType");
  549. continue;
  550. }
  551. if (FALSE==bRetVal) {
  552. // this cert is not appropriate for this CA type
  553. _PrintError(S_FALSE, "bad CA Type");
  554. continue;
  555. }
  557. // If we got here, the cert we have is a good one.
  558. // If we already found a good cert and this one expires later,
  559. // toss the old one and save this one.
  561. if (NULL != pccFound)
  562. {
  563. if (0 > CompareFileTime(
  564. &pccCurrentCert->pCertInfo->NotAfter,
  565. &pccFound->pCertInfo->NotAfter))
  566. {
  567. continue; // old one is newer -- keep it
  568. }
  569. CertFreeCertificateContext(pccFound);
  570. pccFound = NULL;
  571. }
  572. pccFound = CertDuplicateCertificateContext(pccCurrentCert);
  573. if (NULL == pccFound)
  574. {
  575. hr = myHLastError();
  576. _JumpError(hr, error, "CertDuplicateCertificateContext");
  577. }
  579. } // <- End certificate finding loop
  581. CSASSERT(NULL != pccFound);
  582. *ppccCertificateCtx = pccFound;
  583. pccFound = NULL;
  584. hr = S_OK;
  586. error:
  587. if (NULL!=hProv) {
  588. CryptReleaseContext(hProv, 0);
  589. }
  590. if (NULL!=pcpkiKeyInfo) {
  591. LocalFree(pcpkiKeyInfo);
  592. }
  593. if (NULL != pccFound)
  594. {
  595. CertFreeCertificateContext(pccFound);
  596. }
  597. if (NULL!=pccCurrentCert) {
  598. CertFreeCertificateContext(pccCurrentCert);
  599. }
  600. if (S_OK!=hr && CRYPT_E_NOT_FOUND!=hr) {
  601. _PrintError(hr, "Ignoring error in FindCertificateByKey, returning CRYPT_E_NOT_FOUND")
  602. hr=CRYPT_E_NOT_FOUND;
  603. }
  605. return hr;
  606. }
  608. //--------------------------------------------------------------------
  609. // Set which existing certificate we want to use
  610. HRESULT
  611. SetExistingCertToUse(
  612. IN CASERVERSETUPINFO * pServer,
  613. IN CERT_CONTEXT const * pccCertCtx)
  614. {
  615. CSASSERT(NULL!=pServer);
  616. CSASSERT(NULL!=pccCertCtx);
  618. HRESULT hr;
  619. CSP_HASH * pHash;
  621. // to use an existing cert, we must use an existing key
  622. CSASSERT(NULL!=pServer->pwszKeyContainerName);
  624. // find the hash algorithm that matches this cert, and use it if possible
  625. // otherwise, stick with what we are currently using.
  626. hr=FindHashAlgorithm(pccCertCtx, pServer->pCSPInfo, &pHash);
  627. if (S_OK==hr) {
  628. pServer->pHashInfo = pHash;
  629. }
  631. hr = myGetNameId(pccCertCtx, &pServer->dwCertNameId);
  632. _PrintIfError(hr, "myGetNameId");
  634. if (MAXDWORD == pServer->dwCertNameId)
  635. {
  636. pServer->dwCertNameId = 0;
  637. }
  639. ClearExistingCertToUse(pServer);
  640. pServer->pccExistingCert=pccCertCtx;
  643. // We could assume that everything will work, but it doesn't take long to check
  644. //pServer->fValidatedHashAndKey=TRUE;
  646. hr=S_OK;
  648. //error:
  649. return hr;
  650. }
  652. //--------------------------------------------------------------------
  653. // stop using an existing certificate
  654. void
  655. ClearExistingCertToUse(
  656. IN CASERVERSETUPINFO * pServer)
  657. {
  658. CSASSERT(NULL!=pServer);
  660. if (NULL!=pServer->pccExistingCert) {
  661. CertFreeCertificateContext(pServer->pccExistingCert);
  662. pServer->pccExistingCert=NULL;
  663. }
  664. }